Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sbabu
Staff
Staff

Created on ‎08-27-2024 05:27 AM Edited on ‎06-07-2025 02:24 PM By Moderator

Article Id 336706

Technical Tip: How to configure IPv6 PPPoE connection on FortiGate Firewall

Description This article describes configuring an IPv6 PPPoE connection on a WAN interface where IPv4 PPPoE is already configured.
Scope FortiGate v7.0.X and later versions.
Solution
  1. Create a Virtual PPPoE interface to get an IPv6 address through the upstream PPPoE server.

config system pppoe-interface
    edit "wan1-pppoe"
        set ipv6 enable
        set device "wan2"
        set username "Admin"   <--- Use ISP-provided Username and password.
        set password "admin@123"
    next
end

  1. After the PPPoE virtual interface is configured, enable IPv6 DHCP mode. 

 

config system interface
    edit "wan1-pppoe"
        set vdom "root"
        set mode pppoe
        set type tunnel
            config ipv6
                set ip6-mode dhcp
            end
        set interface "wan2"
    next
end

After enabling the DHCP, a PPPoE request will be sent from the interface wan1-pppoe to the PPPoE server.

 

  1. It is possible to verify the assigned IPv6 address using the command below:

diagnose ipv6 address list
dev=52 devname=wan1-pppoe flag=P scope=0 prefix=128 addr=240d:172:16:200::100 preferred=4294967295 valid=4294967295
dev=52 devname=wan1-pppoe flag=P scope=253 prefix=10 addr=fe80::a5b:ed5:fffe:a445 preferred=4294967295 valid=4294967295

 

Or:

 

FGT_Main # config sys interface

FGT_Main (interface) # edit wan1-pppoe

FGT_Main (wan1-pppoe) # get
name : wan1-pppoe
vdom : root
mode : pppoe
ip : 172.16.200.66 255.255.255.255
......
ipv6:
ip6-mode : dhcp
nd-mode : basic
ip6-address : 240d:172:16:200::100/128 <---
ip6-allowaccess : ping https ssh snmp http
ip6-reachable-time : 0
ip6-retrans-time : 0
ip6-hop-limit : 0
dhcp6-prefix-delegation: disable
PPPOE Gateway : 172.16.200.65
wccp : disable
interface : wan2

 

  1. Configure a default route with the PPPoE virtual interface and try pinging any IPv6 servers. 

config router static6
    edit 1
        set device "wan1-pppoe"
    next
end

 

  1. Test the ping from FortiGate using CLI.

     

 

execute ping6-options interface wan1

execute ping6 google.com 

PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=255 time=1.05 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=255 time=0.480 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=255 time=0.430 ms

 

If no IP addresses are received from the PPPoE server, run packet capture and debugging using the commands below.

 

For packet capture:

 

diagnose sniffer packet any 'icmp6 and ip6[40] == 134' 4 0

 

Note: If there are missing RAs from the ISP/upstream in a prefix delegation scenario, a default route manually configured pointing to the ISP's link-local address as the gateway is necessary to be able to reach the internet.

 

For debugging:

 

diagnose debug application pppoed -1
diagnose debug application ppp 255
diagnose debug application dhcp6 -1
diagnose debug enable

 

To stop the debugs:

 

diagnose debug disable

diagnose debug reset

 

2765
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.